On Mon, Dec 21, 2009 at 5:17 PM, Kenton Varda <ken...@google.com> wrote: > The problem we're getting at is that CORS is being presented as a security > mechanism, when in fact it does not provide security. Yes, CORS is > absolutely easier to use than UM in some cases -- I don't think anyone is > going to dispute that. The problem is that the security it provides in > those cases simply doesn't exist unless you can ensure that no resource on > *any* of your allowed origins can be tricked into fetching your "protected" > resource for a third party. In practice this will be nearly impossible to > ensure except in the most simple cases.
Why isn't this a big problem today for normal XMLHttpRequest? Normal XMLHttpRequest is just like a CORS deployment in which every server has a policy of allowing its own origin. Adam